Do we have a roadmap for ML support in Metron? If not, how someone reach out to existing users of Metron and get more input so that we at least collect functional requirements?
>From my side, I can share some of the nice-to-have features from a research perspective (i.e., feature that would make Metron a better platform to conduct cybersecurity research). All the best, Yazan On Mon, Jun 6, 2016 at 10:12 AM, Debojyoti Dutta <[email protected]> wrote: > Thx Egon. The idea of labeled data collection is awesome, else we have to > resort to unsupervised alone. Maybe one of the things the website could do > is to point to labeled data contributed by users of Metron. > > On Mon, Jun 6, 2016 at 12:03 AM, Egon Kidmose <[email protected]> wrote: > > > Hi all, > > > > I'd be interested in joining that discussion. > > > > I'm a phd student applying ML in the security monitoring domain. > > It is my expectation that I'll be able to contribute with some event > > correlation and alert filtering methods. > > (Corelation: Finding events that are relevant to each other. Filtering: > > Suppressing false alerts from e.g. IDSs, or picking out the relevant > ones) > > You'll see a PR as soon as I have something that is somewhat ready. > > > > A particularly interesting issue (to me at least) is the possibilities of > > using a real, running SOC as the the "label factory" for labelled data. > > Getting real data with labels for supervised methods is one of the great > > challenges, and I see quite some potential for Metron here. > > > > > > Mvh. / BR > > Egon Kidmose > > > > On Sat, Jun 4, 2016 at 5:02 PM, Yazan Boshmaf <[email protected]> > wrote: > > > > > One use case of Apache Metron (or OpenSOC) is to analyze amplification > > DDoS > > > attacks <https://www.internetsociety.org/sites/default/files/01_5.pdf > >. > > > > > > With honeypots as information sources (e.g., AmptPot > > > <http://www.christian-rossow.de/publications/amppot-raid2015.pdf>), > you > > > have the typical UDP/IP features (IP addresses, timestamps, protocols, > > > ports, payload, etc.), which get enriched with reverse IP data, > > > geolocation, etc. Some of these attributes can be used as features to > > > identify and characterize types of reflection attacks (e.g., exploiting > > > NTP, DNS resolvers, or even RIPv1). Also, it is important to > distinguish > > > attackers from scanners, using certain features like timestamp > > > synchronization across honeypots, as scanner tend to go through IP > > blocks, > > > one by one, as compared to actual attacks. > > > > > > These are some of the attributes one might consider for this use case. > It > > > would be nice to have something that does online learning and > analytics, > > so > > > clustering / classification is done in real-time. Maybe Apache Spark's > > > MLlib? > > > > > > All the best, > > > Yazan > > > > > > On Sat, Jun 4, 2016 at 4:59 PM, [email protected] <[email protected]> > > wrote: > > > > > > > I'm in > > > > > > > > On Sat, Jun 4, 2016, 09:53 Yazan Boshmaf <[email protected]> wrote: > > > > > > > > > Me too. > > > > > > > > > > On Sat, Jun 4, 2016 at 9:43 AM, Franck Vervial <[email protected]> > > > > wrote: > > > > > > > > > > > hi, > > > > > > > > > > > > i am interested. > > > > > > > > > > > > regards > > > > > > On Fri, 3 Jun 2016 at 3:43 PM, Debo Dutta (dedutta) < > > > [email protected] > > > > > > > > > > > wrote: > > > > > > > > > > > > > Hi > > > > > > > > > > > > > > Wondering if anyone is interested in starting a discussion on > > what > > > > kind > > > > > > of > > > > > > > machine learning based features would be good for Metron …. > Would > > > > love > > > > > to > > > > > > > have the SOC users chime in on the dev list. > > > > > > > > > > > > > > The result of the discussion could lead to JIRA items. > > > > > > > > > > > > > > thx > > > > > > > debo > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Jon > > > > > > > > > > > > > -- > -Debo~ >
